Skillv1.0.0

ClawScan security

Brand Frontend · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 4:34 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions mostly match a Stitch-based landing-page workflow, but the package/credential/installation expectations in SKILL.md are not reflected in the registry metadata and could cause the agent to install packages or request a secret without that being declared.
Guidance: This skill appears to be what it says—a Stitch-driven landing-page designer—but there are a few things to consider before installing or invoking it: - Registry vs. instructions mismatch: The SKILL.md expects a STITCH_API_KEY and may install or use a Stitch SDK, but the registry does not declare any required env vars or an install spec. Ask the publisher to declare STITCH_API_KEY (and the exact required install steps) in the registry metadata. - Secrets handling: The skill will need your Stitch API key. Prefer setting STITCH_API_KEY in your environment (export in a shell or put in a local .env) rather than pasting the key into chat. Confirm the agent follows the SKILL.md guidance to never display or log the key. - Installation behavior: SKILL.md may cause the agent to run package-manager commands (global installs) to get the Stitch SDK. If you’re uncomfortable with automatic installs, run the SDK install yourself in a controlled environment and verify the SDK source (official repo or package name) first. - File writes: The skill will create and update .stitch/metadata.json and write generated HTML/assets to disk. If you want to limit impact, run the skill in a sandboxed or project-specific directory. What would make this clearly benign: updating the registry to declare STITCH_API_KEY as a required env var, providing an explicit, trusted install source (official SDK package name or GitHub release) or an optional install flag, and documenting exactly which runtime actions (commands) the agent will run when it installs the SDK. Without those, proceed only if you trust the skill source and are prepared to manage the SDK install and secret handling yourself.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (brand-first landing pages using Google Stitch) aligns with the SKILL.md workflow: interview → create a Stitch project → generate HTML. However, SKILL.md expects a STITCH_API_KEY and SDK access even though the registry lists no required environment variables or install steps. Asking for a Stitch API key is coherent with the stated purpose, but the registry omission is an inconsistency.
Instruction Scope: okThe instructions are detailed and stay within the landing-page/design scope: they guide an interview, create a design system, call Stitch SDK tools, download generated HTML/screens, and persist state in .stitch/metadata.json. There is no instruction to read unrelated credentials or to exfiltrate data to arbitrary endpoints. The SKILL.md explicitly warns not to echo the API key.
Install Mechanism: concernThere is no install spec in the registry, yet SKILL.md instructs the agent to check for and (if missing) install the Stitch SDK (with a preference for global installs unless inside a project). That implies the agent may run package-manager commands (npm/pip/etc.) or network installs at runtime. Because the install source and method are unspecified in the registry, this increases risk: arbitrary network installs or global modifications could occur without review.
Credentials: concernSKILL.md requires a STITCH_API_KEY (and tells the user to export it or place it in .env) but the registry lists no required env vars or primary credential. The tool legitimately needs the Stitch API key for its purpose, but the metadata failing to declare that credential is an inconsistency that can lead to unexpected prompts for secrets or users pasting keys into chat.
Persistence & Privilege: noteThe skill persists state and outputs under a local .stitch/metadata.json and bundles (zip/deployment files). This file-write behavior is expected for this skill's purpose. always:false (default) is set, and the skill does not request system-wide privileges or modification of other skills. Because the skill can run and install SDKs, persistence combined with installation actions increases blast radius slightly, but not unusually so for a tool that generates files.